From e3f30ad646f18c23b95ec1a62ea38f2a7848fb36 Mon Sep 17 00:00:00 2001

From: Jim Jagielski <jim@apache.org>

Date: Wed, 7 Aug 2019 11:14:58 +0000

Subject: [PATCH] Merge r1864526 from trunk:

* modules/metadata/mod_remoteip.c (remoteip_process_v2_header,

  remoteip_input_filter): Add sanity checks.

Submitted by: jorton, Daniel McCarney <cpu letsencrypt.org>

Submitted by: jorton

Reviewed by: jorton, covener, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864613 13f79535-47bb-0310-9956-ffa450edef68

---

 STATUS                          |  5 -----

 modules/metadata/mod_remoteip.c | 36 ++++++++++++++++++++++++---------

 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c

index 4572ce12a95..a0cbc0ff77c 100644

--- a/modules/metadata/mod_remoteip.c

+++ b/modules/metadata/mod_remoteip.c

@@ -987,15 +987,13 @@ static remoteip_parse_status_t remoteip_process_v2_header(conn_rec *c,

                     return HDR_ERROR;

 #endif

                 default:

-                    /* unsupported protocol, keep local connection address */

-                    return HDR_DONE;

+                    /* unsupported protocol */

+                    ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10183)

+                                  "RemoteIPProxyProtocol: unsupported protocol %.2hx",

+                                  (unsigned short)hdr->v2.fam);

+                    return HDR_ERROR;

             }

             break;  /* we got a sockaddr now */

-

-        case 0x00: /* LOCAL command */

-            /* keep local connection address for LOCAL */

-            return HDR_DONE;

-

         default:

             /* not a supported command */

             ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03507)

@@ -1087,11 +1085,24 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f,

     /* try to read a header's worth of data */

     while (!ctx->done) {

         if (APR_BRIGADE_EMPTY(ctx->bb)) {

-            ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block,

-                                 ctx->need - ctx->rcvd);

+            apr_off_t got, want = ctx->need - ctx->rcvd;

+

+            ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, want);

             if (ret != APR_SUCCESS) {

+                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10184)

+                              "failed reading input");

                 return ret;

             }

+

+            ret = apr_brigade_length(ctx->bb, 1, &got;;

+            if (ret || got > want) {

+                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10185)

+                              "RemoteIPProxyProtocol header too long, "

+                              "got %" APR_OFF_T_FMT " expected %" APR_OFF_T_FMT,

+                              got, want);

+                f->c->aborted = 1;

+                return APR_ECONNABORTED;

+            }

         }

         if (APR_BRIGADE_EMPTY(ctx->bb)) {

             return block == APR_NONBLOCK_READ ? APR_SUCCESS : APR_EOF;

@@ -1139,6 +1150,13 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f,

                 if (ctx->rcvd >= MIN_V2_HDR_LEN) {

                     ctx->need = MIN_V2_HDR_LEN +

                         remoteip_get_v2_len((proxy_header *) ctx->header);

+                    if (ctx->need > sizeof(proxy_v2)) {

+                        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(10186)

+                                      "RemoteIPProxyProtocol protocol header length too long");

+                        f->c->aborted = 1;

+                        apr_brigade_destroy(ctx->bb);

+                        return APR_ECONNABORTED;

+                    }

                 }

                 if (ctx->rcvd >= ctx->need) {

                     psts = remoteip_process_v2_header(f->c, conn_conf,